Securing HAProxy Headers

Overview

https://securityheaders.io will give a score of how well placed the HTTP headers are on a site ranging from A+ to F (not sure what the R rating is for). Headers are a powerful meta (invisible to the naked eye) data used a lot for website statistics and used in Google’s Analytics. This also means they can leak information such as when someone goes from one site to the another.

Below are some tips specifically HAProxy using sources of information below (with corrections to work with HAProxy 1.8).

haproxy.cfg

The below extract using example below show the syntax to configure what is in Siddharth Deshpande however updated with corrections:
backend myBackend
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response add-header X-XSS-Protection "1; mode=block"
http-response add-header X-Content-Type-Options "nosniff"
http-response set-header Referrer-Policy no-referrer-when-downgrade

The only one I haven’t figured out yet is the content security policy.

Summary

For a simple like mine, the settings are fairly trival and using the material to explain what they do is fairly simple to add without violating the added security.

Securing haproxy and nginx via HTTP Headers

Setting Security Headers in Haproxy

Content Security Policy Cheat Sheet

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Linux, Networking, Web Server and tagged , , , , , , , , . Bookmark the permalink.

One Response to Securing HAProxy Headers

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.